1 / 6

Shibboleth 2.x with Office 365

Shibboleth 2.x with Office 365. David Fisher ( dfisher ) – 2/21/2013. Shibboleth 2.X with Office 365. What is the Shibboleth Identity Provider ( IdP )? Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0)

symona
Download Presentation

Shibboleth 2.x with Office 365

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Shibboleth 2.x with Office 365 David Fisher (dfisher) – 2/21/2013

  2. Shibboleth2.X with Office 365 • What is the Shibboleth Identity Provider (IdP)? • Open source software package providing similar functionality as ADFS (e.g. SSO, Authentication, SAML 2.0) • Popular implementation of SAML 2.x with Higher Education institutions world-wide • Shibboleth is managed by the Shibboleth Consortium (http://www.shibboleth.net/index.html) • Latest version is 2.3.6 • How do customers with a Shibboleth IdP* interoperate with Office 365? • Setup a SAML 2.0 federation between Office 365 and their Shibboleth IdP • Deploy DirSync for user provisioning with AD and deploy MSOMA+FIM for user provisioning from non-AD Supported Clients Email Rich Clients Shibboleth 2.x IdP Shibboleth 2.x IdP Web Client Non-AD AD MSOMA + FIM MSOMA + FIM Contoso.edu Fabrikam.edu * This means that only Shibboleth implementation of SAML is supported, not any SAML implementation

  3. Sign on experience • Web Clients • Office with SharePoint Online • Outlook Web Application • Exchange Clients • Outlook • Active Sync/POP/IMAP • Entourage • Rich Applications (SIA) • Lync • Office Subscriptions • CRM Rich Client Cloud Identity Username and Password Username and Password Username and Password Online ID Online ID Online ID Federation w/ Shibboleth Username and Password Username and Password* Not currently supported On-premises credentials On-premises credentials Federation w/ ADFS/3rd party (non-domain joined) Username and Password Username and Password Username and Password AD credentials AD credentials AD credentials * Exchange clients support w/ Shibboleth requires Enhanced Client/Proxy (ECP) extension to be enabled/configured

  4. Deployment ConsiderationsLive@edu to Office 365 Upgrade Federation using Shibboleth IdP supports the following clients: • Web-based clients such as Outlook Web App and SharePoint Online. • Email-rich clients that use basic authentication and a supported Exchange access method such as IMAP, POP, Active Sync, or MAPI. (You must install the Shibboleth IDP Enhanced Client/Proxy (ECP) extension), including: • Microsoft Outlook 2007 and2009 • Thunderbird 8 and 9 • iPhone (iOS 4, ioS 5) • Windows Phone 7 & 8

  5. Configuring Shibboleth ECP for Office 365Live@edu to Office 365 Upgrade In Shibboleth’s relying-party.xml, add the following ECP configuration entries to Microsoft Online Relying Party node <rp:RelyingParty id="urn:federation:MicrosoftOnline" provider="https://idp.contoso.edu/idp/shibboleth" defaultSigningCredentialRef="IdPCredential"> <rp:ProfileConfigurationxsi:type="saml:SAML2SSOProfile" signAssertions="conditional" encryptAssertions="never" encryptNameIds="never" /> <rp:ProfileConfigurationxsi:type="saml:SAML2ECPProfile" signAssertions="always" encryptAssertions="never" encryptNameIds="never"/> </rp:RelyingParty> Add this binding to a local copy of the Microsoft Online metadata NOTE: The public Microsoft Online metadata does not currently have the entry below. <AssertionConsumerServiceindex="2" Binding="urn:oasis:names:tc:SAML:2.0:bindings:PAOS" Location="https://login.microsoftonline.com/login.srf" />

  6. Non-AD Synchronization Preferred option for Directory Synchronization with Non-AD Sources Non-AD support with FIM is available through Microsoft-led deployments FIM 2010 Office 365 connector supports complex multi-forest topologies Windows Azure Active Directory Office 365 Connector on FIM Federation using Non-ADFS STS Non-AD (LDAP) On-Premises Identity Ex: Domain\Alice User

More Related